BYOD Risks & Rewards

How to keep employee smartphones, laptops and tablets secure

What BYOD means for security

It’s risky to assume that prohibiting personal devices solves the problem, because employees end up using their own devices anyway, unmonitored and undeterred by your security policies.

Whatever you think of BYOD and however you choose to implement it, IT managers should treat it the same way as any introduction of new technology: with a controlled and predictable deployment.

Ask yourself:

Who owns the device? That's a question that has changed over time. In the past, the company owned the devices. With BYOD the devices are owned by the user.

Who manages the device? Previously this was an easy question to answer. Today it could be either the company or the end user.

Who secures the device? Accountability is not something that goes away for a user just because they personally own the device. After all, the data carried on it is company-owned.

Answering these questions is fundamental to both understanding the risks and taking advantage of the rewards of BYOD.

All organizations have the flexibility, based on their corporate culture and regulatory requirements, to embrace BYOD as much as they deem reasonable. For example, there are companies who have decided the risk is too great and choose not to implement a BYOD program.

In May 2012, IBM banned its 400,000 employees from using two popular consumer applications over concerns about data security. The company banned cloud storage service Dropbox, as well as Apple’s personal assistant for the iPhone, Siri. Siri listens to spoken requests and sends the queries to Apple’s servers where they are deciphered into text. Siri can also create text messages and emails on voice command, but some of these messages could contain sensitive, proprietary information.

Ultimately, the success of your BYOD program is measured by your employees’ willingness to use their personal devices within the rules you set for them. Your organization’s security procedures and policies should determine whether and how you adopt BYOD.

You need to have the ability to enforce security policies on a device level and protect your intellectual property if that device is ever lost or stolen.